From 6f86a03df6413c1a9d46ece73f18aa4f34cbf3db Mon Sep 17 00:00:00 2001
From: Guy Sartorelli <36352093+GuySartorelli@users.noreply.github.com>
Date: Wed, 15 Jan 2025 12:05:38 +1300
Subject: [PATCH 1/2] DOC Document security patches (#675)

Co-authored-by: Steve Boyd <emteknetnz@gmail.com>
---
 en/08_Changelogs/5.4.0.md | 43 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/en/08_Changelogs/5.4.0.md b/en/08_Changelogs/5.4.0.md
index 6165640b..15024bf0 100644
--- a/en/08_Changelogs/5.4.0.md
+++ b/en/08_Changelogs/5.4.0.md
@@ -6,16 +6,37 @@ title: 5.4.0 (unreleased)
 
 ## Overview
 
+- [Security considerations](#security-considerations)
 - [Features and enhancements](#features-and-enhancements)
+  - [New `XssSanitiser` class](#new-xsssanitiser-class)
   - [Option to change `ClassName` column from enum to varchar](#classname-varchar)
   - [Reports quality of life updates](#reports-quality-of-life-updates)
   - [New `class_description` configuration on `DataObject`](#class-description)
+  - [`oEmbed` sandboxing](#oembed-sandboxing)
   - [Other new features](#other-new-features)
 - [API changes](#api-changes)
 - [Bug fixes](#bug-fixes)
 
+## Security considerations {#security-considerations}
+
+Three security fixes that were previously released in the January security release are mentioned in the [Silverstripe CMS security patches January 2025 blog post](https://www.silverstripe.org/blog/silverstripe-cms-security-patches-january-2025) are listed below.
+
+Review the individual vulnerability disclosure for more detailed descriptions of each security fix. We highly encourage upgrading your project to include the latest security patches.
+
+We have provided a severity rating of the vulnerabilities below based on the CVSS score. Note that the impact of each vulnerability could vary based on the specifics of each project. You can [read the severity rating definitions in the Silverstripe CMS release process](/contributing/release_process/#severity-rating).
+
+- [CVE-2024-47605 - XSS via insert media remote file oembed](https://www.silverstripe.org/download/security-releases/cve-2024-47605) Severity: Medium
+- [CVE-2024-53277 - XSS in form messages](https://www.silverstripe.org/download/security-releases/cve-2024-53277) Severity: Medium
+- [SS-2024-002 - Reflected Cross Site Scripting (XSS) in error message](https://www.silverstripe.org/download/security-releases/ss-2024-002) Severity: None
+
 ## Features and enhancements
 
+### New `XssSanitiser` class
+
+By far the most common type of security vulnerability that gets reported to us is XSS vulnerabilities. In many cases we can remove the vulnerability vector by disallowing HTML altogether, or by removing HTML specifically from user-provided input. Sometimes we need to allow HTML content from the user, such as in the WYSIWYG editor in the CMS - and in those cases we can mitigate XSS vulnerabilities by removing specific XSS attack vectors from the HTML content.
+
+To help with this, we've added a new [`XssSanitiser`](api:SilverStripe\Core\XssSanitiser) class, which removes some known XSS attack vectors from HTML content. Note that this should be used only in scenarios where the HTML content can't be completely removed, and should not be considered a complete protection against all XSS attack vectors but rather as simply one of many tools in your security tool box.
+
 ### Option to change `ClassName` column from enum to varchar {#classname-varchar}
 
 On websites with very large database tables it can take a long time to run `dev/build`, which can be a problem when deploying changes to production. This is because the `ClassName` column is an `enum` type which requires an a `ALTER TABLE` query to be run affecting every row whenever there is a new valid value for the column. For a very rough benchmark, running an `ALTER TABLE` query on a database table of 10 million records took 28.52 seconds on a mid-range 2023 laptop, though this time will vary depending on the database and hardware being used.
@@ -58,6 +79,28 @@ As a part of this change, the [`SiteTree.description`](api:SilverStripe\CMS\Mode
 
 The `SilverStripe\CMS\Model\SiteTree.DESCRIPTION` localisation key (along with the `.DESCRIPTION` suffix for any `SiteTree` subclass) will stop being used in a future major release. Use `SilverStripe\CMS\Model\SiteTree.CLASS_DESCRIPTION` instead.
 
+### `oEmbed` sandboxing
+
+As part of the fix for the security vulnerability `CVE-2024-47605` we have added a new feature to sandbox returned oEmbed HTML content in an `iframe` tag.
+
+You can explicitly declare domains which should be excluded from sandboxing if you find it is interfering with embeds from specific domains. For example if a YouTube embed was not rendering correctly as a result of the sandboxing you could use this YAML configuration:
+
+```yml
+SilverStripe\View\Shortcodes\EmbedShortcodeProvider:
+  domains_excluded_from_sandboxing:
+    - 'youtube.com'
+```
+
+Do not include the protocol (i.e. don't include `https://` or `http://`).
+
+You can also change the attributes of the iframe itself with this YAML configuration:
+
+```yml
+SilverStripe\View\Shortcodes\EmbedShortcodeProvider:
+  sandboxed_iframe_attributes:
+    allow: 'fullscreen'
+```
+
 ### Other new features
 
 - A new [`BaseKernel::getBooted()`](api:SilverStripe\Core\BaseKernel::getBooted()) method has been added for checking whether the kernel has been booted yet or not.

From 7088fb351e5c90fc2d6fdfe1f63dcefb9f32075e Mon Sep 17 00:00:00 2001
From: Guy Sartorelli <36352093+GuySartorelli@users.noreply.github.com>
Date: Thu, 16 Jan 2025 10:10:19 +1300
Subject: [PATCH 2/2] DOC Document new UX for unique index violations (#676)

---
 en/02_Developer_Guides/00_Model/12_Indexes.md |  5 +++++
 en/08_Changelogs/5.4.0.md                     | 11 +++++++++++
 2 files changed, 16 insertions(+)

diff --git a/en/02_Developer_Guides/00_Model/12_Indexes.md b/en/02_Developer_Guides/00_Model/12_Indexes.md
index 29fc00d1..44e68304 100644
--- a/en/02_Developer_Guides/00_Model/12_Indexes.md
+++ b/en/02_Developer_Guides/00_Model/12_Indexes.md
@@ -61,6 +61,11 @@ support the following:
 - `unique`: Index plus uniqueness constraint on the value
 - `fulltext`: Fulltext content index
 
+> [!NOTE]
+> Violating a unique index will throw a [`DuplicateEntryException`](api:SilverStripe\ORM\Connect\DuplicateEntryException) exception which you can catch and handle to produce appropriate validation messages.
+>
+> If the violation happens when calling [`DataObject::write()`](api:SilverStripe\ORM\DataObject::write()), the exception will be caught and a [`ValidationException`](api:SilverStripe\ORM\ValidationException) will be thrown instead. The CMS catches any `ValidationException` and displays them as user friendly validation errors in edit forms.
+
 ```php
 // app/src/MyTestObject.php
 namespace App\Model;
diff --git a/en/08_Changelogs/5.4.0.md b/en/08_Changelogs/5.4.0.md
index 15024bf0..ec0969a8 100644
--- a/en/08_Changelogs/5.4.0.md
+++ b/en/08_Changelogs/5.4.0.md
@@ -13,6 +13,7 @@ title: 5.4.0 (unreleased)
   - [Reports quality of life updates](#reports-quality-of-life-updates)
   - [New `class_description` configuration on `DataObject`](#class-description)
   - [`oEmbed` sandboxing](#oembed-sandboxing)
+  - [UX improvement for unique indexes](#unique-indexes)
   - [Other new features](#other-new-features)
 - [API changes](#api-changes)
 - [Bug fixes](#bug-fixes)
@@ -101,6 +102,16 @@ SilverStripe\View\Shortcodes\EmbedShortcodeProvider:
     allow: 'fullscreen'
 ```
 
+### UX improvement for unique indexes {#unique-indexes}
+
+It has been possible to create unique indexes for `DataObject` models for a long time in Silverstripe CMS, but when these unique indexes were violated (i.e. a user tried to create a duplicate record), there was no UX feedback in the CMS.
+
+Violating a unique index will now throw a new [`DuplicateEntryException`](api:SilverStripe\ORM\Connect\DuplicateEntryException) exception which you can catch and handle to produce appropriate validation messages.
+
+If the violation happens when calling [`DataObject::write()`](api:SilverStripe\ORM\DataObject::write()), the exception will be caught and a [`ValidationException`](api:SilverStripe\ORM\ValidationException) will be thrown instead. The CMS catches any `ValidationException` and displays them as user friendly validation errors in edit forms.
+
+See [indexes](/developer_guides/model/indexes/) to learn about indexes in Silverstripe CMS.
+
 ### Other new features
 
 - A new [`BaseKernel::getBooted()`](api:SilverStripe\Core\BaseKernel::getBooted()) method has been added for checking whether the kernel has been booted yet or not.